PT-2019-9273 · Yealink · Sip-T41P

Published

2019-05-29

Updated

2019-05-31

CVE-2018-16217

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Yeahlink Ultra-elegant IP Phone SIP-T41P version 66.83.0.35

Description The issue concerns the network diagnostic function, specifically the ping functionality, which is vulnerable to command injection. This allows a remote authenticated attacker to execute OS commands or establish a reverse shell.

Recommendations For version 66.83.0.35, consider disabling the network diagnostic function, specifically the ping functionality, until a patch is available to prevent command injection attacks. Restrict access to the device to minimize the risk of exploitation by authenticated attackers.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2018-16217

Affected Products

Sip-T41P

PT-2019-9273 · Yealink · Sip-T41P

CVE-2018-16217

Weakness Enumeration

Related Identifiers

Affected Products

References · 4